About the Dell Digital Jukebox

The Dell Digital Jukebox (Dell DJ) is a DAP released by Dell Computer, using technology OEMed from Creative Labs. The internals are mostly taken from Creative's NOMAD/ZEN line of DAPs, which minor internal changes and features such as FM radio removed.

The Dell DJ uses the MTP protocol for communicating with a PC. Linux users may have to download libmtp in order to access the device. Gnomad (http://www.gnomad2.sourceforge.net) supports the Dell DJ.

Current Status

No work has been done yet on this port, as it is currently in a state of research. I am looking for information about the hardware used inside the system, and work is being done to see how the firmware is structured and stored on this device.

I only own a Generation 1 Dell DJ. If anyone has information regarding the Pocket DJ or Generation 2 (or any yummy tidbits of information!), feel free to contact me (RobertMenes), or add it to this wiki page. Please note that the DJ Ditty may not be a feasible port, and I am not considering it at this time.

Firmware Updates

Dell offers firmware updates for the DJ on their site. We need to examine how the firmware upgrade process is performed. The updates are only for Windows 2000/XP.

Firmware Reversing

The term firmware is often used to refer to the entire package of software and data, which is collectively stored in a single file (nk.bin or rk.bin) contained in the firmware updater application.
However, to avoid confusion I suggest using firmware when talking about the software only and firmware archive when talking about the entire collection.
Note: All the information in the following sub-sections applies to certain versions of the Zen Micro, Zen Touch and Zen Xtra as well.

Extracting the Firmware Archive from the Updater

As mentioned, the firmware archive is stored within the firmware updater application and extracted during updating. The firmware archive is compressed using zlib and xored with a permuted ascii key.
The chunk of data is prefixed with a 32-bit word, which holds the length of the chunk. To extract the archive manually, you first need to obtain the ascii key, then permute it as follows:

for (int i = 0; i < strlen(key); i++)
key[i] = (key[i] - 1) | 0x80;

then you need to xor the chunk with the permuted key and finally inflate it using zlib.

The attached zenfirm.rar is a utility for extracting the firmware archive automatically. It comes pre-compiled, with the source code included.

Firmware Archive Structure

The archive is split into entries consisting of a 32-bit word name and 32-bit word size, followed by the entry data:

struct FW_ENTRY {
DWORD Name;
DWORD Length;
BYTE Data[Length];
};

The first FW_ENTRY in the archive is the root entry, called CIFF, which embodies all other entries. The first child node of CIFF is CINF which contains a unicode model name string.
The next entry type is called DATA and is used to designate where to store the file it contains. The first 32 bytes of it is a file name which is either prefixed with F (for flash) or H (for harddisk).
There are two DATA entries prefixed with F: FBOOT and FRESCUE. FBOOT is assumed to be a secondary bootloader and FRESCUE is the rescue mode software (more on this later).
There are three DATA entries prefixed with H: Hjukebox2.jrs, Hsplash.jbm and Hunicjkl.nft. Hjukebox2.jrs is a string table containing localized strings used by the player.
Hsplash.jbm is the splash screen of the player, in a proprietary bitmap format. Hunicjkl.nft contains the fonts used by the player.
In addition there are two more types of entries: CENC (presumably the player software) which shares structual similarities to FBOOT (probably ISR arrays). And EXT0 whose purpose is unknown.

FRESCUE Structure

The FRESCUE file starts off with a header consisting of two 32-bits words, a tag and a size, followed by the data:

struct R_HEADER {
DWORD Tag;
DWORD Length;
BYTE Data[Length];
};

The Tag is always CODE. The Data starts off with one 32-bit word whose purpose is unknown at this point. Following is an array of section objects, which specifies where in memory to read the contained section data:

The Address specifies the physical address which the data will be written to. This array continues till the end of the file.
I've attached zenldr.rar, an IDA loader plugin which handles the FRESCUE format. The pre-compiled file zenldr.ldw is compiled for IDA 5.0.

Once mapped into memory, address 0x200 will contain an array of 32 8-byte ISR entries. The ISR entry format is as follows:

The Flags controls the operating behaviour when performing an interrupt. The ISR is a 24-bit address of the ISR handler.
The first ISR entry is the RESET vector, which points to a function named _c_int00, in the TI RTOS/BIOS source code.

Rescue Mode

I came across this when I first got my Dell DJ. If the hard drive has failed or is not connected, the DJ will enter "Rescue Mode", where you can attempt to either format the drive, or perform a firmware update. This Rescue Mode was carried across almost all of the Creative devices, most of which have a similar mode on the devices.